Why Use Private Subnets in a VPC When Instances Without a Public IP in Public Subnets are Private Anyway?

What is the point of having private subnets at all when you can simply take away an EC2 instance’s public IP to make it private?

The main difference between a public & private subnet is what the subnet’s default route is, in the VPC’s routing tables. This determines the validity of public IPs on instances in that subnet. Each subnet has 1 default route, which can be:

  • Either the VPC’s internet gateway, in the case of a public subnet.
  • Or a NAT gateway, in the case of a private subnet.

The internet gateway does not do any network address translation for instances without public IPs so an instance without a public IP cannot connect to the internet. For instances with only a private IP, there’s an alternate way of outbound internet access — a NAT gateway. The instances in a private subnet can access the internet because the default route on a private subnet is the NAT gateway.

When private instances send traffic to the internet, the traffic is sent, by the VPC, to the NAT gateway, which replaces the source IP on the network packets with its own public IP, sends the traffic out to the internet, accepts the response packets & forwards them back to the originating machine. A NAT gateway doesn’t allow any inbound traffic to reach private instances, unless it’s configured to do so.

Neither the security group of the NAT gateway, nor the security group of the private instance, need to be configured to allow the response traffic, because security groups are stateful.

Similarly, you cannot deploy an instance with a public IP on a private subnet. Inbound traffic from the internet would hit the public IP of the instance, but the replies would try to route outward through the NAT gateway, which would either drop the traffic (since it would be replies to connections it’s not aware of) or would rewrite the reply traffic to use its own public IP address, so the external origin would not accept these replies.

So the private & public designations are not really about accessibility from the internet. They are about the kinds of IPs that will be assigned to the instances in that subnet. If your instances with private IPs never need to talk to the internet, then they could be deployed on a public subnet & would still be inaccessible from the internet.

Or… ditch private subnets & NAT gateways entirely! They aren’t necessary. If you don’t want the machine to be accessible from the internet, just don’t put it in a security group that allows such access. By ditching the NAT gateway, you are eliminating the running cost of the gateway, & you also eliminate the speed limit imposed by the NAT gateway!